Data Bill to cause a behavioural change in firms: Rajeev Chandrasekhar

MeitY to come up with all rules of the bill before tabling the bill in the parliament: MoS IT

The companies collecting and processing digital personal data of Indians will have to go for deep behavioral changes and it will not be business as usual for them after enactment of the Digital Personal Data Protection (DPDP) Bill, 2022.

This was stated by Rajeev Chandrasekhar, minister of state for Electronics and Information Technology, during public consultations on Friday.

The draft Bill, released in November, has provisions of hefty financial penalties ranging up to Rs 250 crore for each instance of failure in taking security safeguards to prevent personal data breaches.

Failure to notify the data protection Board and affected “data principals” in the event of a personal data breach may invite a penalty of up to Rs 200 crore. 

Under the obligations of data fiduciaries, the Bill says, “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent a personal data breach.”

It also has a clause stating that, “In the event of a personal data breach, the Data Fiduciary or Data Processor, as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed.”

Chandrasekhar said that entities collecting personal data will be completely responsible for ensuring compliance. It is even on behalf of their third-party contractors processing the data. 

“There is no ambiguity about where the obligation lies under this Act. It starts and ends with the data fiduciary who has collected the data from the principal. The (third-party) processors may be liable to the data fiduciary, as a nature of their contract,” he said. 

The minister said, though the Bill has not classified the personal data between sensitive or non-sensitive and critical personal data, it will be considered while deciding the amount of penalties for data breaches.

Chandrasekhar added that the government may tighten the ‘deemed consent’ provision for processing personal data under the DPDP Bill, 2022, to restrict it to exceptional circumstances.

The draft Bill, released by the ministry of electronics and IT (MeitY), provides a clause for where the data owners or ‘principals’ are deemed to have given consent to the fiduciaries to process their personal data. It is in a situation where “..it is reasonably expected that she would provide such personal data.”

When stakeholders sought clarity on the clause, Chandrasekhar said: “The deemed consent section is really meant for these exceptional cases where consent is not required or appropriate. If there is something in the language that makes it vague or open-ended, we will certainly tighten it up.”

He added that the new Bill, once enacted, will bring a behavioral change in the relationship between fiduciaries and principals.

The much-awaited privacy law seeks to enforce Indian citizens’ right to privacy as a fundamental right. The draft document provides a legal framework for collecting and processing personal digital data in India.

Industry stakeholders, including representatives of trade bodies such as ASSOCHAM, FICCI, and NASSCOM, as well as various policy advocacy groups participated in the public consultations. 

Major suggestions from the stakeholders included tweaks in the definition of a child in the Bill, the introduction of compensation to users in case of a breach, and clarity on the criteria of the list of countries where data storage is allowed.   

A representative of NASSCOM, the industry body of software companies, said: “While the emphasis on protecting children's rights is understood, the problem is that the consent of a data principal is globally known as one individual, who allows data mapping in the real world. But here, we are conflating the consent for children’s personal data with both the child and their guardians. So, it becomes three people. It is conceptually a bit confusing.” 

Chandrasekhar said geographies where the right of Indian citizens is enforceable will likely be eligible to become a part of the trusted countries for storing the data. However, the task of listing such countries has been left to the government and home ministry, he said.  

The draft for the first time included additional obligations in relation to the processing of personal data of children.

Failure concerning the processing of personal data of children may also cause the fiduciaries to pay Rs 200 crore in fines.